Thanks for posting this @Zachary_Trabookis!
I followed these steps on my Juniper sandbox which is an LTI provider. (Note: had to modify lms.envs.production to add the additional settings instead of lms.envs.private, since it’s not a devstack.)
EDIT Please disregard the notes below. These issues were resolved by creating a brand new session.
I didn’t use SESSION_COOKIE_SAMESITE_KEYS, just SESSION_COOKIE_SAMESITE_FORCE_ALL and thought that would be enough, but the sessionid cookie doesn’t get marked SameSite: None. All the others did though:
| Name | Secure | SameSite |
|---|---|---|
| JSESSIONID | ✓ | None |
| csrftoken | ✓ | None |
| edx-jwt-cookie-header-payload | ✓ | None |
| edx-jwt-cookie-signature | ✓ | None |
| edx-user-info | ✓ | None |
| edxloggedin | ✓ | None |
| experiments_is_enterprise | ✓ | None |
| sessionid | ✓ |
However, when using LTI to access the provider sandbox, only one cookie was marked SameSite: None, and the rest were not. LTI is using OAuth to authenticate, so maybe there’s something different there with how cookies get created?
| Name | Secure | SameSite |
|---|---|---|
| JSESSIONID | ✓ | None |
| csrftoken | ✓ | |
| sessionid | ✓ |
I haven’t dug into the code to see why the this might be.
EDIT Replacing SESSION_COOKIE_SAMESITE_FORCE_ALL with this setting didn’t make a difference to the sessionid or csrftoken cookies:
SESSION_COOKIE_SAMESITE_KEYS = ['JSESSIONID', 'csrftoken', 'edx-jwt-cookie-header-payload', 'edx-jwt-cookie-signature', 'edx-user-info', 'edxloggedin', 'experiments_is_enterprise', 'sessionid']